Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›CC›Objectives›Security Operations
Objective 5.0

Security Operations

CC Practice Questions

Use this page to practise Security Operations questions for this certification. Focus on how the exam tests security operations in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

CC Security Operations — Key Topics

Security Operations questions on this certification test your ability to deploy and manage security operations concepts in scenario-based situations.

  • Core Security Operations concepts and how they apply in real-world cloud scenarios.
  • How to deploy security operations correctly and verify the outcome.
  • Troubleshooting security operations issues by interpreting error output and system state.
  • Cloud best practices and Security Operations design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Security Operations

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

CC Security Operations — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Full question →

A security analyst discovers that a user's account has been used to access sensitive data outside of normal business hours from an unfamiliar IP address. The user claims they were not logged in at that time. Which security operations process should be initiated first?

Question 3easymultiple choice
Full question →

A SOC analyst reviews an alert indicating a high number of failed login attempts from a single external IP address targeting multiple user accounts. Which security control is most effective at preventing this type of attack?

Question 4hardmultiple choice
Full question →

An organization's security policy requires that all network traffic logs be retained for at least one year. The SIEM system is running low on storage, and the administrator must decide which data to archive first. Which data set is the least critical for ongoing security monitoring and can be archived earliest?

Question 5mediummultiple choice
Full question →

During a routine security audit, an analyst finds that several critical servers have misconfigured firewall rules allowing inbound SSH access from the entire internet. Which immediate action should the analyst take?

Question 6easymultiple choice
Full question →

A security operations center receives an alert that a workstation has been infected with ransomware. The infection is isolated to one machine. What is the first step in the containment phase of incident response?

Question 7mediummultiple choice
Full question →

An organization uses a SIEM to correlate logs from multiple sources. A rule triggers when a user logs in from two geographically distant locations within a short time. What type of attack does this rule primarily detect?

Question 8hardmultiple choice
Full question →

A company's security policy requires that all incident response activities be logged and that evidence be preserved for potential legal action. During an incident, a responder mistakenly uses a personal USB drive to copy log files. Which principle of forensic evidence handling has been violated?

Question 9easymultiple choice
Full question →

A SOC analyst notices that a large volume of outbound traffic is occurring from a single workstation to an external IP address known to be associated with a command-and-control server. What is the most likely conclusion?

Question 10mediummultiple choice
Full question →

An organization has implemented a SIEM solution. The security team wants to detect when a user attempts to access a file they do not have permission to read. Which log source is most important for this detection?

Question 11mediummulti select
Full question →

Which TWO of the following are common indicators of a phishing email? (Select TWO.)

Question 12hardmulti select
Full question →

Which THREE of the following are best practices for securing a network firewall? (Select THREE.)

Question 13easymulti select
Full question →

Which TWO of the following are types of security controls used in defense in depth? (Select TWO.)

Question 14hardmulti select
Full question →

Which THREE of the following are essential components of an incident response plan? (Select THREE.)

Question 15hardmultiple choice
Full question →

Refer to the exhibit. The IDS alert indicates a possible SpyEye botnet check-in from an internal host. What immediate action should the analyst take?

Exhibit

Refer to the exhibit.

```
[IDS Alert] Signature: ET TROJAN Win32/SpyEye Checkin
Source IP: 10.10.10.5 -> Destination IP: 203.0.113.50
Time: 2023-03-15 14:32:45
Alert: Priority 1
```
Question 16mediummultiple choice
Full question →

Refer to the exhibit. A security analyst reviews this log entry. What type of attack is most likely occurring?

Exhibit

Refer to the exhibit.

```
[Windows Security Log]
Event ID 4625: An account failed to log on.
Account Name: jdoe
Source Network Address: 192.168.1.100
Failure Reason: Unknown user name or bad password.
Count: 15 occurrences in 5 minutes.
```
Question 17mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security engineer reviews this firewall ACL. Which of the following best describes the security posture?

Exhibit

Refer to the exhibit.

```
[Firewall Config]
access-list 100 permit tcp any host 10.0.1.10 eq 443
access-list 100 deny tcp any any eq 22
access-list 100 permit ip any any
```
Question 18hardmultiple choice
Full question →

A medium-sized e-commerce company operates a web application on three virtual servers behind a load balancer. The application handles credit card payments and stores customer data in a database server. The company has a security operations team that monitors logs from firewalls, IDS, and servers. One morning, the IDS generates a critical alert indicating a SQL injection attempt from an external IP to the web application. The alert shows that the injection string was ' OR '1'='1' -- . The web server logs confirm that the request returned a 200 OK status and a large response size. The database logs show a query that returned multiple rows. The security analyst needs to determine the best immediate course of action. The company has a documented incident response plan that includes containment, eradication, and recovery phases. Which action should the analyst take first?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A financial institution has a security operations center that monitors network traffic using a SIEM. The SIEM receives logs from all network devices, servers, and endpoints. One analyst notices an anomaly: a user account, 'jsmith', which is normally used during business hours (9 AM to 5 PM), has been logging in from a remote IP address at 2 AM every day for the past week. The logins are successful, and the user is accessing internal file shares. The user jsmith works in the accounting department and has access to sensitive financial reports. The analyst checks the user's workstation logs and finds that the workstation is powered off at the time of the remote logins. The company uses two-factor authentication, but the log entries show that only the password was used. Which of the following is the most likely explanation and the best immediate action?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A company's security operations center (SOC) receives an alert about suspicious outbound traffic from a server in the DMZ to an external IP address known for command-and-control activity. The SOC analyst reviews the logs and sees that the source port is 443 and the destination port is 8080. Which of the following actions should the analyst take FIRST?

Question 21hardmultiple choice
Full question →

A SOC analyst is investigating a potential data exfiltration incident. The logs show that an internal user transferred a large volume of data to a cloud storage service using HTTPS. The analyst finds that the user's workstation has BitLocker Drive Encryption enabled, and the user has administrative privileges. Which of the following best describes the PRIMARY challenge in investigating this incident?

Question 22easymultiple choice
Full question →

A security operations team is implementing a new SIEM solution. They want to ensure that logs from all critical systems are collected and analyzed in real time. Which of the following is the MOST important consideration when designing the log collection architecture?

Question 23mediummultiple choice
Read the full NAT/PAT explanation →

A company has implemented a security information and event management (SIEM) system. The SOC team notices that the SIEM is generating a high volume of false positive alerts from a specific web application firewall (WAF). The WAF logs show many requests with SQL injection patterns, but the application is not vulnerable. Which of the following actions would BEST reduce false positives without compromising security?

Question 24mediummulti select
Read the full VPN explanation →

A SOC analyst is reviewing a security alert about a potential brute-force attack on the company's VPN server. The analyst sees multiple failed login attempts from different IP addresses within a short time frame. Which TWO actions should the analyst take to verify and respond to this incident? (Choose two.)

Question 25hardmulti select
Full question →

An organization is planning to implement a security operations center (SOC) and is considering different monitoring strategies. Which THREE of the following are essential components of a tiered SOC model? (Choose three.)

Question 26mediummultiple choice
Read the full NAT/PAT explanation →

An analyst reviews the firewall log exhibit. The source IP 10.0.1.100 is an internal web server. The destination IP 203.0.113.50 is an external host. What does this log pattern MOST likely indicate?

Exhibit

Refer to the exhibit.

```
EdgeRouter# show firewall log
Log for firewall-in
Fri Aug 18 14:23:45 2023 : IN=eth0 OUT=eth1 MAC=00:1a:2b:3c:4d:5e:6f:7a:8b:9c:0d:1e:2f SRC=10.0.1.100 DST=203.0.113.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12345 DF PROTO=TCP SPT=34567 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Fri Aug 18 14:23:46 2023 : IN=eth0 OUT=eth1 MAC=00:1a:2b:3c:4d:5e:6f:7a:8b:9c:0d:1e:2f SRC=10.0.1.100 DST=203.0.113.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12346 DF PROTO=TCP SPT=34568 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Fri Aug 18 14:23:47 2023 : IN=eth0 OUT=eth1 MAC=00:1a:2b:3c:4d:5e:6f:7a:8b:9c:0d:1e:2f SRC=10.0.1.100 DST=203.0.113.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12347 DF PROTO=TCP SPT=34569 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
```
Question 27hardmultiple choice
Full question →

You are the lead SOC analyst for a medium-sized financial services company. The company uses a hybrid infrastructure with on-premises servers and cloud services (AWS). The SIEM is Splunk Enterprise, collecting logs from firewalls, IDS/IPS, endpoints (Windows and Linux), and AWS CloudTrail. Recently, the company experienced a ransomware attack that encrypted critical file servers. The initial infection vector was a phishing email that led to the download of a malicious macro-enabled document. The document was executed on a Windows workstation, which then established a C2 connection to an external IP. The C2 traffic was over HTTPS, and the workstation was part of the domain. After the attack, the forensic team found that the workstation had Windows Event Logs cleared, and the local admin account had been used to disable the antivirus. The C2 IP was later blocked, but the ransomware had already spread to file servers via SMB. As part of the lessons learned, you need to recommend improvements to prevent and detect such attacks in the future. Which of the following is the BEST course of action to address the specific weaknesses exploited in this incident?

Question 28easymultiple choice
Full question →

A security analyst is reviewing an alert from the IDS that shows a large number of TCP SYN packets sent to a single port on multiple internal hosts from a single external IP address. The analyst suspects a reconnaissance attack. Which type of attack is this most likely?

Question 29hardmulti select
Read the full NAT/PAT explanation →

A SOC analyst is investigating an incident where an employee's workstation was compromised via a phishing email. The analyst has captured the following indicators: the email originated from a known malicious domain, the attachment was a macro-enabled document, and the macro executed a PowerShell command that downloaded a payload from a remote server. Which TWO actions should the analyst take immediately as part of the incident response process? (Choose two.)

Question 30mediummultiple choice
Full question →

Refer to the exhibit. A security analyst is reviewing firewall logs and notices repeated denied TCP packets from 192.0.2.10 to internal hosts. The packets are being denied by the access-group "OUTSIDE_IN". What is the most likely reason for these denials?

Exhibit

Refer to the exhibit.

=== syslog output ===
Jan 15 09:23:45 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3456 dst inside:10.0.0.5/22 by access-group "OUTSIDE_IN" [0x0, 0x0]
Jan 15 09:23:46 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3457 dst inside:10.0.0.5/23 by access-group "OUTSIDE_IN" [0x0, 0x0]
Jan 15 09:23:47 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3458 dst inside:10.0.0.5/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
Jan 15 09:23:48 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3459 dst inside:10.0.0.6/22 by access-group "OUTSIDE_IN" [0x0, 0x0]
Jan 15 09:23:49 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3460 dst inside:10.0.0.6/23 by access-group "OUTSIDE_IN" [0x0, 0x0]
Question 31mediumdrag order
Open the full VLAN trunking answer →

Drag and drop the steps to create a new VLAN on a managed switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

More Security Operations questions available in the full practice test.

Continue Practising →
←

Previous objective

Network Security

All CC Objectives

  • 1.Security Principles
  • 4.Network Security
  • 5.Security Operations